This article was created to answer the question regarding whether or not CloudSOC will generate a new Incident or 'Rescan' an email when it is moved from a user's O365 Inbox to another Inbox folder.
O365 + CloudSOC + DLP Enforce
• Testing was performed and confirmed that a Rescan of an email does not automatically take place- therefore, a new Incident will not be auto generated.
• Even if the email is moved to a folder before the Securlet has performed a scan, the Securlet will scan the mail at least once.
• Engineering was also engaged to confirm the above conclusion.